On 2014-06-25 at 15:06, Michel <msa...@paybox.com> wrote: > Excerpt from the book : "Network Security with OpenSSL" : > > "An SSL_CTX object will be a factory for producing SSL connection objects. > This context allows us to set connection configuration parameters before the > connection is made, such as protocol version, certificate information, and > verification requirements. > It is easiest to think of SSL_CTX objects as the containers for default > values for the SSL connections to be made by a program. > …
Thanks for the reminder. But I read the OpenSSL manual pages already, of course - but as the documentation of OpenSSL is (to be honest) really bad, I wanted to make this absolutely clear. > In general, an application will create just one SSL_CTX object for all of the > connections it makes." > > And Yes, this is also true for multithreaded connections, as long as we are > aware of : > https://www.openssl.org/docs/crypto/threads.html Ok, but then please allow the question how I should deal with SSL_CTX_set_cert_verify_callback(sslCtx, func, conn); in that context? Because currently we use this function to define an own verify callback function and we supply ‘conn’ here as an application specific pointer argument (and extracting it via X509_STORE_CTX_get_app_data(x509_ctx) within the callback function) for filling in the individual results of the certificate verify process of a specific SSL connection. The problem that arises here is that this ‘conn’ pointer is connection specific in our case. That means I want to be able to use a connection specific ‘conn’ argument with SSL_CTX_set_cert_verify_callback(), but if I call this function once at the very beginning of my application I can only specify it once and calling SSL_CTX_set_cert_verify_callback() on the same sslCtx pointer for every parallel connection will of course overwrite the old setting. So how can I specify an own app_data for every connection? IMHO there should be something like SSL_set_cert_app_data() so that I can specify different app_data for different SSL connections. regards, jens -- Jens Maus, Dresden/Germany http://jens-maus.de/ (Please note a real name change effective since 5.9.2013. Former name: Jens Langner) *** Content is authentic only with digital signature ***
smime.p7s
Description: S/MIME cryptographic signature